Introduce "cross-origin-isolated" permission

source

@@ -4197,6 +4197,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     <li>"<dfn data-x="autoplay-feature"><code data-x="">autoplay</code></dfn>", which has a <span
     data-x="concept-default-allowlist">default allowlist</span> of <code
     data-x="">'self'</code>.</li>
+    <li>"<dfn data-x="cross-origin-isolated-permission"><code
+    data-x="">cross-origin-isolated</code></dfn>", which has a <span
+    data-x="concept-default-allowlist">default allowlist</span> of <code
+    data-x="">'self'</code>.</li>
     <li>"<dfn data-x="document-domain-feature"><code data-x="">document-domain</code></dfn>", which
     has a <span data-x="concept-default-allowlist">default allowlist</span> of <code
     data-x="">*</code>.</li>
@@ -79107,7 +79111,15 @@ interface <dfn>BarProp</dfn> {
      <dt>The <span data-x="concept-settings-object-embedder-policy">embedder policy</span></dt>
      <dd><p>Return <var>window</var>'s <span data-x="concept-document-window">associated
      <code>Document</code></span>'s <span data-x="concept-document-embedder-policy">embedder
-     policy</span>.</p>
+     policy</span>.</p></dd>
+
+     <dt>The <span data-x="concept-settings-object-effective-cross-origin-isolated">effective
+     cross-origin isolated</span> boolean</dt>
+     <dd><p>Return the logical conjunction of <var>realm</var>'s corresponding <span>agent
+     cluster</span>'s <span>cross-origin isolated</span> and whether <var>window</var>'s <span
+     data-x="concept-document-window">associated <code>Document</code></span> is <span>allowed to
+     use</span> the "<code
+     data-x="cross-origin-isolated-permission">cross-origin-isolated</code>".</p></dd>
     </dl>
    </li>
 
@@ -87565,6 +87577,12 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
    check">cross-origin resource policy checks</span> for <span data-x="concept-fetch">fetches</span>
    performed using this <span>environment settings object</span> as a <span
    data-x="concept-request-client">request client</span>.</p></dd>
+
+   <dt>An <dfn data-x="concept-settings-object-effective-cross-origin-isolated" data-export=""
+   data-dfn-for="environment settings object">effective cross-origin isolated</dfn> boolean</dt>
+
+   <dd><p>A boolean representing whether it is allowed to use APIs that requires cross-origin
+   isolation.</p></dd>
   </dl>
 
   <p>An <span>environment settings object</span> also has an <dfn>outstanding rejected promises
@@ -92513,12 +92531,11 @@ interface mixin <dfn>WindowOrWorkerGlobalScope</dfn> {
    <dd><p>Returns the global object's <span>origin</span>, serialized as string.</p></dd>
 
    <dt>self . <code subdfn data-x="dom-crossOriginIsolated">crossOriginIsolated</code></dt>
-   <dd><p>Returns whether the <span>surrounding agent</span>'s <span>agent cluster</span> is
-   <span>cross-origin isolated</span>. This depends on the `<code
-   data-x="">Cross-Origin-Opener-Policy</code>` and `<code
-   data-x="">Cross-Origin-Embedder-Policy</code>` HTTP response headers and determines whether
-   <code>SharedArrayBuffer</code> can be used with <code data-x="">postMessage()</code>
-   APIs.</p></dd>
+   <dd><p>Returns whether it is allowed to use APIs that require cross-origin isolattion.
+   This depends on the `<code data-x="">Cross-Origin-Opener-Policy</code>` and `<code
+   data-x="">Cross-Origin-Embedder-Policy</code>` HTTP response headers and the
+   "<code data-x="cross-origin-isolated-permission">cross-origin-isolated</code>"
+   permission.</p></dd>
   </dl>
 
   <div class="example">
@@ -92550,7 +92567,8 @@ document.body.appendChild(frame)</code></pre>
   origin">serialized</span>.</p>
 
   <p>The <dfn data-x="dom-crossOriginIsolated"><code>crossOriginIsolated</code></dfn> getter steps
-  are to return the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
+  are to return <span>this</span>'s <span>relevant settings object</span>'s <span
+  data-x="concept-settings-object-effective-cross-origin-isolated">effective cross-origin
   isolated</span>.</p>
 
   </div>
@@ -98975,6 +98993,11 @@ interface <dfn>WorkerGlobalScope</dfn> : <span>EventTarget</span> {
   data-dfn-for="WorkerGlobalScope" data-x="concept-WorkerGlobalScope-module-map">module map</dfn>.
   It is a <span>module map</span>, initially empty.</p>
 
+  <p>A <code>WorkerGlobalScope</code> object has an associated <dfn data-export=""
+  data-dfn-for="WorkerGlobalScope"
+  data-x="concept-WorkerGlobalScope-effective-cross-origin-isolated">effective cross-origin
+  isolated</dfn> boolean. It is initially false.</p>
+
   </div>
 
   <dl class="domintro">
@@ -99370,6 +99393,17 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
    <li><p>Let <var>destination</var> be "<code data-x="">sharedworker</code>" if <var>is
    shared</var> is true, and "<code data-x="">worker</code>" otherwise.</p></li>
 
+   <li><p>Set <var>worker global scope</var>'s <span
+   data-x="concept-WorkerGlobalScope-effective-cross-origin-isolated">effective cross-origin
+   isolated</span> to <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin
+   isolated</span>.</p></li>
+
+   <li><p>If <var>is shared</var> is false and <var>owner</var>'s <span
+   data-x="concept-settings-object-effective-cross-origin-isolated">effective cross-origin
+   isolated</span> is false, then set <var>worker global scope</var>'s <span
+   data-x="concept-WorkerGlobalScope-effective-cross-origin-isolated">effective cross-origin
+   isolated</span> to false.</p></li>
+
    <li>
     <p>Obtain <var>script</var> by switching on the value of <var>options</var>'s <code
     data-x="">type</code> member:</p>
@@ -99410,6 +99444,13 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
      <span data-x="parse-referrer-policy-header">parsing the `<code>Referrer-Policy</code>`
      header</span> of <var>response</var>.</p></li>
 
+     <li><p>If <var>is shared</var> is false and <var>response</var>'s
+     <span data-x="concept-response-url">url</span>'s <span
+     data-x="concept-url-scheme">scheme</span> is "<code data-x="">data</code>", then set
+     <var>worker global scope</var>'s <span
+     data-x="concept-WorkerGlobalScope-effective-cross-origin-isolated">effective cross-origin
+     isolated</span> to false.
+
      <li><p>If <var>response</var>'s <span data-x="concept-response-url">url</span>'s <span
      data-x="concept-url-scheme">scheme</span> is a <span>local scheme</span>, then set
      <var>worker global scope</var>'s <span
@@ -99735,6 +99776,12 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
       <p>Return <var>worker global scope</var>'s <span
       data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span>.</p>
      </dd>
+
+     <dt>The <span data-x="concept-settings-object-effective-cross-origin-isolated">effective
+     cross-origin isolated</span> boolean</dt>
+     <dd><p>Return <var>worker global scope</var>'s <span
+     data-x="concept-WorkerGlobalScope-effective-cross-origin-isolated">effective cross-origin
+     isolated</span>.</p></dd>
     </dl>
    </li>